NAP 802.1X Step by Step
Comments
Description
Step By Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab Microsoft Corporation Published: February 2008 Abstract Network Access Protection (NAP) is a new policy enforcement technology in the Windows Vista®, Windows Server® 2008 and Windows XP with Service Pack 3 operating systems. NAP provides components and an application programming interface (API) set that help administrators enforce compliance with health requirements for network access and communication. This paper contains an introduction to NAP and instructions for setting up a test lab to deploy NAP with the 802.1X enforcement method. The lab requires two server and two client computers, and an 802.1X compliant switch that supports the use of RADIUS tunnel attributes to specify the 802.1X client VLAN. With this test network, you can create and enforce client health requirements using NAP and the 802.1X features on your switch. Copyright Information This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2008 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Contents Step By Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab...................................1 Abstract....................................................................................................................................1 Copyright Information......................................................................................................................2 Contents..........................................................................................................................................3 Step-by-Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab...................................5 In this guide.................................................................................................................................6 802.1X NAP enforcement overview.............................................................................................6 Scenario overview.......................................................................................................................7 NAP enforcement processes....................................................................................................7 Policy validation....................................................................................................................8 NAP enforcement and network restriction.............................................................................8 Remediation..........................................................................................................................9 Ongoing monitoring to ensure compliance............................................................................9 Hardware and software requirements..........................................................................................9 Steps for configuring the test lab...............................................................................................10 Configure the 802.1X compliant switch......................................................................................11 Configure DC1...........................................................................................................................11 Install the operating system on DC1.......................................................................................12 Configure TCP/IP on DC1......................................................................................................12 Configure DC1 as a domain controller and DNS server.........................................................12 Raise the domain functional level...........................................................................................13 Install an enterprise root CA on DC1......................................................................................14 Create a user account in Active Directory..............................................................................15 Add user1 to the Domain Admins group.................................................................................16 Create a security group for NAP client computers..................................................................16 Configure NPS1.........................................................................................................................17 Install Windows Server 2008..................................................................................................17 Configure TCP/IP properties on NPS1...................................................................................17 Join NPS1 to the contoso.com domain..................................................................................18 User Account Control.............................................................................................................18 Install the NPS server role......................................................................................................19 Install the Group Policy Management feature.........................................................................19 Obtain a computer certificate on NPS1..................................................................................19 Configure NPS as a NAP health policy server........................................................................20 Configure NAP with a wizard..............................................................................................21 Verify NAP policies..............................................................................................................25 Configure SHVs..................................................................................................................25 Configure NAP client settings in Group Policy........................................................................26 Configure security filters for the NAP client settings GPO...................................................27 Configure CLIENT1...................................................................................................................28 Install Windows Vista and configure TCP/IP on CLIENT1......................................................28 Join CLIENT1 to the contoso.com domain.............................................................................28 Add CLIENT1 to the NAP client computers security group.....................................................29 Enable Run on the Start menu...............................................................................................30 Verify Group Policy settings...................................................................................................30 Configure authentication methods..........................................................................................30 Configure CLIENT2...................................................................................................................32 Install Windows Vista and configure TCP/IP on CLIENT2......................................................32 Join CLIENT2 to the contoso.com domain.............................................................................32 Complete configuration of CLIENT2.......................................................................................33 802.1X NAP enforcement demonstration..................................................................................33 Allow ICMP through Windows Firewall...................................................................................34 Set up desktop shortcuts........................................................................................................34 Demonstrate CLIENT1 to CLIENT2 connectivity....................................................................35 Demonstrate NAP enforcement..............................................................................................35 Demonstrate auto-remediation...............................................................................................37 See Also....................................................................................................................................38 Appendix.......................................................................................................................................38 Set UAC behavior of the elevation prompt for administrators....................................................38 Review NAP client events..........................................................................................................39 Review NAP server events........................................................................................................39 NAP allows you to create and enforce health requirements for software and system configurations of computers that connect to your network. Some NAP components are present in every deployment. and available for Windows XP with Service Pack 3.1X NAP Enforcement in a Test Lab Network Access Protection (NAP) is a new technology introduced in Windows Vista® and Windows Server® 2008. optionally. NAP is deployed using multiple client and server components.Step-by-Step Guide: Demonstrate 802. Figure 1: Components of NAP NAP enforces health policies for the following network access and communication technologies: 5 . limits network access when client computers are deemed noncompliant with these requirements. NAP assesses the health of client computers and. while others vary according to the NAP enforcement method or methods you have chosen. such as the Remote Authentication Dial-In User Service (RADIUS). or when clients attempt to communicate with other protected network resources. Supplicant credentials are validated by the authentication server using an authentication service. In this guide This guide provides step-by-step instructions for deploying 802.1X NAP enforcement in a test lab using two server computers and two client computers. Pass-through authenticator Typically a switch or wireless AP that enforces port-based authentication.• • • • • Internet Protocol security (IPsec) 802. Important The following instructions are for configuring a test lab using the minimum number of computers.1X NAP enforcement overview The IEEE 802. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. Following evaluation of the connection attempt. Software and hardware requirements are provided.1X enforcement method.1X-2004 standards define port-based user authentication methods used when accessing both wired and wireless network infrastructures. as well as a brief overview of NAP and the 802. 802. The configuration.1X access point (AP) or virtual private network (VPN) server. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network.1X port-based wired and wireless network access control VPN with Routing and Remote Access Dynamic Host Configuration Protocol (DHCP) IPv4 address lease and renewal Terminal Services Gateway (TS Gateway) NAP enforcement occurs when client computers attempt to access the network through network access servers. An 802. including IP addresses and all other configuration parameters.1X-2001 and 802. indicating whether the supplicant is allowed to connect. The supplicant is attached to the pass-through authenticator. Authentication server A computer that authenticates and authorizes a supplicant connection attempt on behalf of the pass-through authenticator. the RADIUS server responds to the pass-through authenticator. 6 . such as an 802.1X deployment consists of three major components: Supplicant A computer that requests access to a network. is designed only to work on a separate test lab network. and ongoing monitoring to ensure compliance.1X compliant wireless AP using the RADIUS protocol.1X In an 802.1X authentication process are shown in the following figure.microsoft.802.1X are transported between the passthrough authenticator and the supplicant by a method called EAP over LAN (EAPoL). Components of the 802. NAPcapable client computers with valid authentication credentials will be provided different VLAN identifiers based on their compliance with network health requirements.1X authenticating switches for 802.1X-capable network access devices. the technology that replaces Internet Authentication Service (IAS) in Windows Server 2008. Note In addition to integration with NAP. and an EAP enforcement client component. NPS instructs the switch or AP to place clients that are noncompliant with network health requirements on a restricted network by applying IP filters or a VLAN identifier to the connection.3 wired Ethernet connections. Enhancements include an extended Active Directory schema for Group Policy support and netsh lan command-line interface support for configuring wired 802.com/fwlink/?LinkId=76244).1X settings. Network Policy Server (NPS).1X port-based network access control is deployed with an NPS server. remediation.1X NAP enforcement provides strong network access control for all computers connecting to the network through 802.1X authentication is accomplished using Extensible Authentication Protocol (EAP).1X NAP enforcement scenario. EAP messages used in the authentication process for 802. 802. NAP enforcement for 802.1X compliant switch. NAP enforcement processes Several processes are required for NAP to function properly: policy validation. communicates with an 802. an 802. For more information. Scenario overview In this test lab. NAP enforcement and network restriction. see Active Directory Schema Extensions for Windows Vista Wired and Wired Group Policy Enhancements (http://go.com/fwlink/? LinkId=70195) and Netsh Commands for Wired Local Area Network (lan) (http://go. Windows Server 2008 and Windows Vista include enhancements to support 802.microsoft. Figure 2: Components of 802. 7 .1X authenticating switch or an 802. • Allow limited access. if NAP-capable client computers are running Windows Update Agent. The following settings are available: • Allow full network access. A noncompliant policy will demonstrate network restriction by issuing a VLAN identifier that places the client computer on a restricted network. NAP enforcement is delayed until the specified date and time. or to merely observe and log the health status of NAPcapable client computers. Clients that match the policy conditions are deemed compliant with network health requirements. enforce. to defer restriction to a later date. NAP uses SHAs and SHVs to monitor. This test lab will use the WSHA and WSHA to require that client computers have turned on Windows Firewall. and are placed on the restricted network. NAP enforcement and network restriction NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network. You will use the NAP configuration wizard to create two network policies in this test lab. Clients that match the policy conditions are temporarily granted full network access. Health status is monitored by client-side NAP components called system health agents (SHAs). and remediate client computer configurations. 8 .Policy validation System health validators (SHVs) are used by NPS to analyze the health status of client computers. and are granted unrestricted access to the network if the connection request is authenticated and authorized. The client computer has antivirus software installed and running. Client computers that match the policy conditions are deemed noncompliant with network health requirements. Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) are included with the Windows Vista and Windows Server 2008 operating systems. Microsoft Update Services is enabled on the client computer. A compliant policy will grant full network access to an intranet network segment. and enforce the following settings for NAP-capable computers: • • • • • • The client computer has firewall software installed and enabled. In addition. This is the default setting. • Allow full network access for a limited time. SHVs are incorporated into network polices that determine actions to be taken based on client health status. The health compliance status of NAP-capable client computers is logged. The client computer has antispyware software installed and running. The client computer has current antispyware updates installed. NAP can verify that the most recent software security updates are installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). The client computer has current antivirus updates installed. such as the granting of full network access or the restricting of network access. and will run the NPS service functioning as a NAP health policy server. causing it to be noncompliant with network health requirements. • The product disc for the Windows Server 2003 Standard Edition operating system with Service Pack 2 (SP2). The domain controller in this lab can also run Windows Server 2008. The Enable auto-remediation of client computers setting will be enabled in the noncompliant network policy. Client computers are monitored when their health state changes. and serves a domain controller for the Contoso. This test lab includes a demonstration of automatic remediation. a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures. You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components automatically attempt to update the client computer when it is noncompliant. If additional resources are required for a noncompliant computer to update its health state. This test lab includes a demonstration of ongoing monitoring when Windows Firewall is turned off on a client computer.com domain. • One computer that meets the minimum hardware requirements for Windows Server 2003 Standard Edition with SP2. Hardware and software requirements The following are required components of the test lab: • The product disc for Windows Server 2008. 9 . or Windows Vista Ultimate. which will cause Windows Firewall to be turned on without user intervention. • One computer that meets the minimum hardware requirements for Windows Server 2008. The network access of the noncompliant computer is immediately updated to a restricted state by assigning it a different VLAN identifier. This computer is named NPS1. these resources must be provided on the restricted network. Note This lab will demonstrate NAP support for Active Directory with Windows Server 2003. Ongoing monitoring to ensure compliance NAP can enforce health compliance on compliant client computers that are already connected to the network.Remediation Noncompliant client computers that are placed on a restricted network might undergo remediation. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies and the health of client computers change. Windows Vista Enterprise. For example. This computer is named DC1. • The product disc for Windows Vista Business. and when they initiate requests for network resources. Remediation is the process of updating a client computer so that it meets current health requirements. The following sections provide details about how to perform these tasks.1X compliant. and will host the required client-side NAP components. including the names of each computer and their assigned IP addresses 10 . Note You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. try performing the task while you are logged on with an account that is a member of the Domain Admins group. CLIENT1 and CLIENT2 are computers running Windows Vista. DC1 is configured as a domain controller with the Active Directory® directory service and the primary DNS server for the intranet subnet.1X compliant switch. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group. DC1 is a server computer running Windows Server 2003. • Configure DC1. • Configure CLIENT1 and CLIENT2. Standard Edition. and must support the use of RADIUS tunnel attributes to specify a client VLAN identifier (ID).1X enforcement test lab configuration. which functions as a NAP health policy server and a Remote Authentication Dial-in User Service (RADIUS) server.• Two computers that meet the minimum hardware requirements for Windows Vista. Figure 3: 802. A summary of the test network is shown in the following figure. Steps for configuring the test lab Configuration of the test lab consists of the following steps: • Configure the 802. The switch does not have to be OSI layer 3-capable. These computers are named CLIENT1 and CLIENT2. After the NAP components are configured. • One layer 2 or layer 3 switch that supports 802. NPS1 is a server computer running Windows Server 2008. CLIENT1 and CLIENT2 will be configured as NAP clients. this guide will provide steps for a demonstration of NAP enforcement and auto-remediation. • Configure NPS1. The switch used in this test lab must be 802.1X port-based authentication and RADIUS tunnel attributes for VLAN assignment. NPS1 is configured with the Network Policy Server (NPS) service. " Clients determined to be noncompliant with health requirements are placed on this VLAN.0. this guide assumes the user is able to configure an 802. and such ports should be available for CLIENT1 and CLIENT2 to join the domain prior to configuring authentication methods. • VLAN ID 1 is named "DEFAULT_VLAN." The switch is assigned a network address of 192. clients should be connected to ports with active authentication. and accounting settings. inter-VLAN routing should also be disabled between the compliant and noncompliant VLANs. as described below. authorization. The switch must be configured to use NPS1 for 802.3/24 and three VLANs. The ports used to connect DC1 and NPS1 should not require 802.3/24 on this VLAN.1Xcompliant switch for the demonstration with an IP address of 192.0. providing the following services: 11 .1X compliant switch The 802.1X authentication.168.1X authentication and authorization. • VLAN ID 2 is named "NONCOMPLIANT_VLAN. Configure DC1 DC1 is a computer running Windows Server 2003 Standard Edition with SP2. If a layer 3 switch is used." Clients determined to be compliant with health requirements are placed on this VLAN. These attributes are used to specify separate VLAN IDs for compliant and noncompliant NAP client computers. Because switch configuration commands vary based on the type of switch. • VLAN ID 3 is named "COMPLIANT_VLAN. For the demonstration of 802. All ports on the switch are untagged members of this VLAN.1X enforcement.1X-compliant switch used in this test lab must support the use of RADIUS tunnel attributes to specify a client VLAN ID.Configure the 802.168. 1 and the subnet mask of 255. A DNS server for the Contoso. When prompted for a computer name. the Certificates Request Wizard will be used to obtain a computer certificate for NPS1. click Close. 4. and then click Properties. Verify that Preferred DNS server is blank. 12 . and type 255. click Control Panel. Install an enterprise root CA. type 192.0.168. 2. and then close the Network Connections window.255. and then click Properties. Create a user account and group in Active Directory.0 next to Subnet mask. Click Internet Protocol (TCP/IP). as a stand-alone server. Select Use the following IP address. Install the operating system on DC1 Install Windows Server 2003 Standard Edition with SP2. Configure TCP/IP on DC1 Configure the TCP/IP protocol with a static IP address of 192.1 next to IP address. 3.com Active Directory domain. type DC1. Start your computer using the Windows Server 2003 product disc. For this test lab deployment.0. 6.com DNS domain. Create a NAP client computer security group. 5.com domain.255. Note Auto-enrollment of user certificates for EAP-TLS authentication is available with Windows Server 2003 Enterprise Edition. Click OK.168. Configure TCP/IP.255. Install Active Directory and DNS. Click Start. Right-click Local Area Connection. and then double-click Network Connections. 2.255.0. DC1 configuration consists of the following steps: • • • • • • Install the operating system. The enterprise root certification authority (CA) for the Contoso. To configure TCP/IP on DC1 1. Configure DC1 as a domain controller and DNS server DC1 will serve as the only domain controller and DNS server for the Contoso.• • • A domain controller for the Contoso.com domain. To install the operating system on DC1 1. just install and configure DNS on this computer. 6. click Restart Now. To start the Active Directory Installation Wizard. 13. Click Start. On the Install or Configure DNS page. Confirm that the Domain NetBIOS name shown is CONTOSO. Wait while the wizard completes the configuration of Active Directory and DNS services. 4. and then click Next. as shown in the following figure: 13 . click Run. click Start. and then click Next. and then click Next.com. choose No. Click Next again.To configure DC1 as a domain controller and DNS server 1. and then click Next. and then click Next. and then click Finish. 2. log in to the CONTOSO domain using the Administrator account. 9. In the left pane of the Active Directory Domains and Trusts dialog box. Accept the default Database Folder and Log Folder directories. 11. Leave the Restore Mode Password and Confirm Password text boxes blank. 14. 7. 16. After the computer has been restarted. and then click Next. and then click Raise.com next to Full DNS name for new domain. Type Contoso. From the drop-down list box. 3. Verify that Domain controller for a new domain is chosen. and then click Active Directory Domains and Trusts. right-click contoso. In the Active Directory Installation Wizard dialog box. choose Windows Server 2003. Raise the domain functional level To raise the domain functional level 1. Operating system compatibility information is displayed. Verify that Domain in a new forest is chosen. and then click Next. 12. 3. When prompted to restart the computer. 8. and then click Next twice. click Next. and then click Raise Domain Functional Level. type dcpromo. and then press ENTER. Verify that Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems is selected. 2. Accept the default folder location for Shared System Volume. point to All Programs. and then click Next. point to Administrative Tools. and then click Next. 15. Review the summary information provided. 10. 5. click Yes. Install an enterprise root CA on DC1 To support TLS authentication for Protected Extensible Authentication Protocol (PEAP). 5. In Common name for this CA. and then click Add or Remove Programs. If a Microsoft Certificate Services dialog box appears warning you that the domain name and computer name cannot be changed. In the dialog box that confirms the functional level was raised successfully. In the Windows Components Wizard dialog box. type Root CA. To accomplish this. In the Windows Components Wizard dialog box. Click Start. Click Add/Remove Windows Components. 5. the server running NPS must have a computer certificate that the client computers trust. In the dialog box that warns this change cannot be reversed. install and configure an enterprise root CA on DC1. click Next. 4.4. To install an enterprise root CA on DC1 1. 14 . and then click Next. 7. 6. point to Control Panel. select Certificate Services. Select Enterprise root CA. The following figure shows an example. click OK. 2. click OK. 3. type User1 User. In the New Object . warning you that Internet Information Services (IIS) is not installed. Click Start. In the console tree. Close the Add or Remove Programs window. This account will be used when logging in to NPS1. type User1. and then click Active Directory Users and Computers. 10. 3. and in User logon name. To create a user account in Active Directory 1.com. 11. and then click Next again. Click Next. right-click Users. 15 . point to New. and then click User. CLIENT1. Create a user account in Active Directory Next. and CLIENT2. 9. Click Next. click OK. Click Finish to complete the steps in the Windows Component Wizard. You do not need to install IIS on DC1 for certificate Web enrollment support.8. double-click contoso. next to Full name. 2. create a user account in Active Directory. point to Administrative Tools. If a Microsoft Certificate Services dialog box appears.User dialog box. 4. 5. 3. 3. In the Domain Admins Properties dialog box.Group dialog box. 16 . right-click contoso. the user name that you created in the preceding procedure. In Password. type the password again. click the Members tab. and in Confirm password. choose Global. Create a security group for NAP client computers Next. Leave the Active Directory Users and Computers console open for the following procedure. 2. Leave the Active Directory Users and Computers console open for the following procedure. 4. 4. and then click Finish. Clear the User must change password at next logon check box. choose Security. Close the Active Directory Users and Computers console. type the password that you want to use for this account. 8. Under Enter the object names to select (examples). Click Next. type NAP client computers. and select the Password never expires check box. click Users. Add user1 to the Domain Admins group Next. 7. 2. Under Group scope. CLIENT1 and CLIENT2 will be added to this security group after they are joined to the domain. To create a security group for NAP client computers 1. and then click Add. 6. and then click OK twice. add the newly created user to the Domain Admins group so this user can perform all configuration steps. In the Active Directory Users and Computers console tree. point to New. and then click Group. type User1. In the details pane. create a security group for use with Group Policy security filtering. In the Active Directory Users and Computers console tree. under Group type. under Group name. double-click Domain Admins. and then click OK.5. In the New Object . This security group will be used to apply NAP client computer settings to only the computers you specify.com. To add a user to the Domain Admins group 1. type 255. 4. 7. In the Local Area Connection Properties dialog box.1.0. and then click Properties. Configure TCP/IP. right-click Local Area Connection. Select Use the following IP address. Obtain a computer certificate.255. In the Local Area Connection Properties dialog box. type 192.2. Start your computer using the Windows Server 2008 product CD. Install the NPS server role. type 192.Configure NPS1 For the test lab. Click OK. This will reduce the complexity of the lab.168. In the Network Connections dialog box. Install the Group Policy Management feature. choose Custom. Under Server Summary. 2. In IP address. Join the computer to the domain. 2. NPS1 configuration consists of the following steps: • • • • • • • • Install the operating system. 8. The following sections provide details about how to perform these tasks. 6.0. clear the Internet Protocol Version 6 (TCP/IPv6) check box. NPS1 will be running Windows Server 2008 and will host NPS. particularly for those who are not familiar with IPv6. and accounting for the 802. In Subnet mask. which provides RADIUS authentication.255. click Internet Protocol Version 4 (TCP/IPv4). Follow the rest of the instructions that appear on your screen to finish the installation.1X-capable switch.0. Configure NPS as a NAP health policy server. Click Server Manager. Configure NAP client settings in Group Policy. authorization. and then click Close to close the Local Area Connection Properties 17 . 5. and then click Properties. 3. Install Windows Server 2008 To install Windows Server 2008 1. In Preferred DNS server. When prompted for the installation type.168. Select Use the following DNS server addresses. 3. Configure TCP/IP properties on NPS1 To configure TCP/IP properties on NPS1 1. click View Network Connections. In the Computer Name/Domain Changes dialog box.dialog box. and then press ENTER. see the Appendix of this guide for instructions about how to set UAC behavior of the elevation prompt for administrators. 14.com. 10. click Switch User. Close the Network Connections window. When you see a dialog box telling you to restart the computer." 15.com domain To join NPS1 to the contoso. choose Domain. 13. 12. and then under Domain. Under Server Summary. 18 . On the System Properties dialog box. Click Start. In the Computer Name/Domain Changes dialog box. Join NPS1 to the contoso.0. 9. type contoso. 10. click Close. 9. When you see a dialog box telling you to restart the computer. In the System Properties dialog box. Several of the configuration tasks to follow require UAC approval. click Change. Do not close the Server Manager window. and then click OK twice. you are required to click Continue in the User Account Control (UAC) dialog box for some tasks. 2. Under Primary DNS suffix of this computer.com domain 1. 8. then click Other User and log on to the CONTOSO domain with the User1 account you created. type contoso. Click More. 4. check to ensure that network communication between NPS1 and DC1 is working by running the ping command from NPS1. 11. type User1 and password for the user account that you added to the Domain Admins group. 7. on the Computer Name tab. under Member of. 11.168. When you see a dialog box welcoming you to the contoso. Next. Verify that the response reads “Reply from 192. click OK. Alternatively. When prompted. 3. and then click Submit. under Computer name.1. 12. When prompted for a user name and password. type ping DC1. click Restart Now. always click Continue to authorize these changes. It will be used in the next procedure. 6. click OK. Verify the Server Manager window is still open from the preceding procedure. in Open type cmd. In the command window. User Account Control When configuring the Windows Vista or Windows Server 2008 operating systems. 5.com. click Change system properties. click Run. Close the command window. type NPS1.com domain. After the computer has been restarted. double-click Certificates. and then click Finish. the server running NPS uses a computer certificate that is stored in its local computer certificate store. In Server Manager. In the left pane. select Computer account. To install the NPS server role 1. To access these settings. and then click Server Manager. Install the Group Policy Management feature Group Policy will be used to configure NAP client settings in the test lab. Click Next. click Next. 3. point to All Tasks. Select the Network Policy and Access Services check box. and then click Next. 3. To obtain a computer certificate on NPS1 1. 6. type mmc. and then press ENTER. In the Add or Remove Snap-ins dialog box. and then click Install. click Add/Remove Snap-in. under Features Summary. the Group Policy Management feature must be installed on a computer running Windows Server 2008. Obtain a computer certificate on NPS1 To provide server-side PEAP authentication. 5. and then click Next twice. 4. Certificate Manager will be used to obtain a computer certificate from the certification authority service on DC1. Click Start. 4. Click OK to close the Add or Remove Snap-ins dialog box. Verify the installation was successful. 5. On the File menu. Select the Group Policy Management check box. click Add Roles. click Certificates. 2. The Certificate Enrollment dialog box opens. click Next. 4. Click Start. and then click Close to close the Add Features Wizard dialog box.Install the NPS server role To install the NPS server role 1. 2. Close Server Manager. 2. and then click Install. click Add Features. Verify the installation was successful. Leave Server Manager open for the following procedure. 3. Under Roles Summary. 6. Select the Network Policy Server check box. click Add. right-click Personal. in Open. and then click Close to close the Add Roles Wizard dialog box. and then click Request New Certificate. click Next. click Run. 19 . and then click Enroll. and then click Finish. The two health policies in this test lab correspond to a compliant health state and a noncompliant health state. See the following example. WSHV will be configured to require only that Windows Firewall is enabled. For the test lab. Based on the results of SHV checks.7. Verify that Succeeded is displayed to indicate the status of certificate installation. 20 . 8. Click No when prompted to save console settings. Configure NPS as a NAP health policy server To serve as a NAP health policy server. and include: • System Health Validators. • Health Policies. Close the Console1 window. These components are displayed in the NPS console tree. The NAP wizard helps you configure each NAP component to work with the NAP enforcement method you choose. and how they are used in the validation of the configuration of computers that attempt to connect to your network. 9. System health validators (SHVs) define configuration requirements for computers that attempt to connect to your network. For this test lab. Select the Computer check box. NPS1 must validate the system health of clients against the configured network health requirements. health policies classify client health status. configuration of NPS as a NAP health policy server is performed using the NAP configuration wizard. 10. Health policies define which SHVs are evaluated. If you specify a RADIUS client. Network policies use conditions. then a corresponding RADIUS server entry is required on the RADIUS client device. In this test lab. The wizard provides commonly used settings for each NAP enforcement method. the 802. RADIUS clients are network access servers. • Remediation Server Groups. settings. under Standard Configuration.msc. You can access the NAP configuration wizard from the NPS console. they must be made available on the restricted access VLAN so they are accessible to noncompliant computers. Because Windows Firewall is the only health requirement in the test lab. • RADIUS Clients and Servers. There must be a network policy that will be applied to computers that are compliant with the health requirements. you do not have to configure remediation server groups in the NPS console. 3. In the Network Policy Server console tree. and automatically creates customized NAP policies for use with your network design. For this test lab.• Network Policies. Click Start. See the following example.1X compliant switch is configured as a RADIUS client on NPS. In this test lab. click NPS (Local). compliant client computers will be allowed unrestricted network access. For this lab. Clients determined to be noncompliant with health requirements will have their access restricted through the use of RADIUS attributes to specify a restricted VLAN ID. click Configure NAP. Configure NAP with a wizard The NAP configuration wizard helps you set up NPS as a NAP health policy server. 2. Noncompliant clients will also be optionally updated to a compliant state and subsequently granted unrestricted network access. • Connection Request Policies. and constraints to determine who can connect to the network. and a network policy that will be applied to computers that are noncompliant. The NAP configuration wizard will start. type nps. no remediation servers are required. a connection request policy is used that requires the client computer to perform protected EAP (PEAP) authentication before being granted access to the network. In the details pane. click Run. If these servers are required. 21 . You must also configure the switch to recognize NPS as a RADIUS server. and then press ENTER. Connection request policies are conditions and settings that validate requests for network access and govern where this validation is performed. To configure NPS using the NAP wizard 1. Remediation server groups allow you to specify servers that are made available to noncompliant NAP clients so that they can remediate their health state and become compliant with health requirements. and then click Next.1X Authenticating Switches page. type 802. select IEEE 802.4. On the Configure User Groups and Machine Groups page. Under Confirm shared secret. and then click Next. and that Secure Password (PEAP-MSCHAP v2) is selected under EAP types. Under Shared secret. click OK. confirm that a computer certificate obtained in the previous procedure is displayed under NPS Server Certificate.1X (Wired).1X Switch. under Friendly name. On the Configure an Authentication Method page.0. click Next. Under Address (IP or DNS). 7. under Network connection method.168. You do not need to configure groups for this test lab. In the New RADIUS Client dialog box. 9.3. Click 22 . On the Specify 802. click Add. 8. 6. On the Select Network Connection Method for Use with NAP page. 10. type 192. type secret. 5. type secret. e. In this lab. This value represents the compliant VLAN ID used in this lab. click Tunnel-Medium-Type. Click Close.1x. Under Enter the attribute value in. under Vendor. Note The Tunnel-Tag value is populated in all attributes used in this policy. select Tunnel-Tag. and then click OK twice.1x. d. In the Virtual LAN (VLAN) Configuration dialog box. Another Attribute Information dialog box is displayed. click Add. k. and then click OK. click Configure. On the Configure Virtual LANs (VLANs) page. 11. These steps are identical to those used for compliant computers with the exception that 23 . under Organization network VLAN. and then click Add. g. a. type 1. on the RADIUS standard attributes tab. In the Virtual LAN (VLAN) Configuration dialog box. and then click OK twice. h. click Tunnel-Type. j. l. In the Add Vendor Specific Attribute dialog box. Under Attribute Value. Use the following steps to configure VLAN properties for noncompliant computers. verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected. on the RADIUS standard attributes tab. and then click Edit. select Microsoft. In the Attribute Information dialog box. under Attributes. click the Vendor Specific attributes tab. In the Attribute Information dialog box. In the Attribute Information dialog box. Under Attribute Value. In the Attribute Information dialog box. click Tunnel-Pvt-Group-ID. and then click OK twice. 12. and then click Edit.Next. n. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch. m. In the Add Vendor Specific Attribute dialog box. choose Commonly used for 802. and then click Edit. verify that Virtual LANs (VLAN) is selected. under Attribute value. Another Attribute Information dialog box is displayed. c. VLAN ID 3 will be used for compliant computers. choose String. In the Virtual LAN (VLAN) Configuration dialog box. i. and serves to group these attributes together. Another Attribute Information dialog box is displayed. choose Commonly used for 802. type 3. In the Virtual LAN (VLAN) Configuration dialog box. Use the following steps to configure VLAN properties for compliant computers. click Add. and then click OK. f. on the RADIUS standard attributes tab. a. click Add. b. and then click Add. identifying them as belonging to a particular tunnel. Leave the NPS console open for the following procedure. under Vendor. h. click Add. In the Virtual LAN (VLAN) Configuration dialog box. on the RADIUS standard attributes tab. m. choose Commonly used for 802. Another Attribute Information dialog box is displayed. type 1. In the Virtual LAN (VLAN) Configuration dialog box. Click Next. click Finish. a. and then click OK twice. In the Attribute Information dialog box. b. f. 16. and then click OK twice. Another Attribute Information dialog box is displayed. on the RADIUS standard attributes tab. and then click Edit. under Restricted network VLAN. g.1x.1x. Click Close. 24 . type 2. Under Enter the attribute value in. click Add. verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected. In the Attribute Information dialog box. Another Attribute Information dialog box is displayed. and then click Add. e. k. click Tunnel-Pvt-Group-ID. under Attribute value. click Add. and then click OK. and then click Edit. In the Virtual LAN (VLAN) Configuration dialog box. 13. verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected. l. click the Vendor Specific attributes tab. 14. and then click OK twice. on the RADIUS standard attributes tab. d. select Microsoft. This value represents the compliant VLAN ID used in this lab. c. j. click Configure. and then click Next. verify that Virtual LANs (VLAN) is selected. n. choose Commonly used for 802. 15. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page.VLAN ID 2 is configured for noncompliant computers. In the Attribute Information dialog box. In the Attribute Information dialog box. click Tunnel-Medium-Type. On the Configure Virtual LANs (VLANs) page. In the Virtual LAN (VLAN) Configuration dialog box. under Attributes. Under Attribute Value. o. and then click OK. choose String. Under Attribute Value. i. In the Add Vendor Specific Attribute dialog box. This completes the configuration of VLAN properties for compliant and noncompliant computers. select Tunnel-Tag. In the Add Vendor Specific Attribute dialog box. On the Define NAP Health Policy page. and then click Add. and then click Edit. click Tunnel-Type. The default name of the three network policies created by the NAP configuration wizard are NAP 802. In the details pane. NAP 802. if policies are created and removed. Leave the NPS console open for the following procedure.1X (Wired) Compliant and NAP 802. 2. NAP policies that were created in the previous procedure must be enabled and configured with the correct processing order. double-click Windows Security Health Validator.1X (Wired) Non NAP-Capable.1X (Wired) Compliant. In the Network Policy Server console tree. In the Network Policy Server console tree.1X (Wired) Noncompliant. Click Health Policies. and then click Connection Request Policies. and verify that two policies were created. and verify that the network policies you created in the previous procedure are higher in the processing order than other policies that match NAP client authorization attempts. See the following example. To verify NAP policies 1. you should verify that the NAP policies created in the previous procedure are configured with the correct processing order. To configure system health validators 1. these policies are named NAP 802. under Name. Configure SHVs For this test lab. and NAP 802.Verify NAP policies In order for the health status of NAP client computers to be correctly evaluated by NPS. In the Windows Security Health Validator Properties dialog box. 4. 4. 3.1X (Wired). By default. the NAP configuration wizard will create policies that are lower in processing order than any existing policies but higher in processing order than the default policies. double-click Network Access Protection. click Configure. 3. it is possible to change processing order of the default connection request policy and network policies. Therefore. the WSHV will be configured to require only that Windows Firewall is enabled. Click Network Policies. or that other policies that match NAP client authentication attempts are disabled.1X (Wired) Noncompliant. 25 . Verify that the NAP connection request policy you created in the previous procedure is first in the processing order. By default. Clear all check boxes except A firewall is enabled for all network connections. or that these other policies are disabled. 2. Also verify that the status of this policy is Enabled. and then click System Health Validators. However. Also verify that the status of these policies is Enabled. 5. double-click Policies. The default name of this policy is NAP 802. and then click OK. 26 . click Start. click the icon to create a new GPO. Close the Network Policy Server console. Configure NAP client settings in Group Policy The following NAP client settings will be configured in a new Group Policy object (GPO) using the Group Policy Management feature on NPS1: • • • • NAP enforcement clients NAP Agent service Wired Autoconfig service Security Center user interface After these settings are configured in the GPO. The following section describes these steps in detail. To configure NAP client settings in Group Policy 1.msc. next to Contoso. 6. click Run. On NPS1. Click OK to close the Windows Security Health Validator dialog box. security filters will be added to enforce the settings on computers you specify. type NAP client settings for the name of the new GPO.com.5. In the Browse for a Group Policy Object dialog box. type gpme. and then click OK to close the Windows Security Health Validator Properties dialog box. and then press ENTER. 2. 8. select the Define this policy setting check box. The Group Policy Management Editor window will open. right-click NAP Client Configuration. When you are prompted to confirm the removal of delegation privilege. navigate to Forest: Contoso. type NAP client computers.com\Domains\Contoso. To configure security filters for the NAP client settings GPO 1. select the Define this policy setting check box. Close the Group Policy Management Editor window. In the details pane. In the details pane. In the console tree. This prevents NAP client settings from being applied to server computers in the domain. Configure security filters for the NAP client settings GPO Next. and then click OK. click Yes. CLIENT1 and CLIENT2 will be added to this security group after each is joined to the domain. 5. right-click EAP Quarantine Enforcement Client.msc. click OK. and then click OK. In the details pane. Close the GPMC.3. configure security filters for the NAP client settings GPO. 4. under Security Filtering. type gpmc. In the Network Access Protection Agent Properties dialog box. under Security Filtering. 27 . choose Automatic. In the Wired AutoConfig Properties dialog box. click Start. In the details pane. 13. and then click Enable. and then click OK. 9.com\Group Policy Objects\NAP client settings. 6. In the console tree. or Group dialog box. In the details pane. In the Group Policy Management Console (GPMC) tree. 7. click Add. Computer. Note The NAP client security group currently has no members. 6. On NPS1. click Run. In the details pane. 2. 14. 5. 11. navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center. 7. 4. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services. 12. double-click Turn on Security Center (Domain PCs only). click Authenticated Users. In the Select User. and press ENTER. and then click Apply. open Network Access Protection\NAP Client Configuration\Enforcement Clients. under Enter the object name to select (examples). double-click Network Access Protection Agent. choose Automatic. and then click Remove. choose Enabled. 10. 3. In the console tree. double-click Wired AutoConfig. and then click OK. If you are prompted to apply settings. 8. type user1. clear the Internet Protocol Version 6 (TCP/IPv6) check box. 4. type 192. 7. Install Windows Vista and configure TCP/IP on CLIENT1 To install Windows Vista and configure TCP/IP on CLIENT1 1. Click OK. CLIENT1 configuration consists of the following steps: • • • • • • Install the operating system and configure TCP/IP. Add CLIENT1 to the NAP client computers security group and restart the computer. 6. Click Start. type CLIENT1. 3. In IP address.1X authentication does not block client connection to DC1.1X compliant switch. Enable Run on the Start menu. and then click Manage network connections. and then click Control Panel.com domain Important For this procedure. When prompted for a user name.0. In Subnet mask. 2. type 255. particularly for those who are not familiar with IPv6. In Preferred DNS server.255. Install Windows Vista. and then click Close. and then click Properties. Join CLIENT1 to the contoso. When prompted for a computer name. In the Local Area Connection Properties dialog box. 5. 10. and then click Properties. CLIENT1 should be connected to an uncontrolled port on the switch so that 802. click Internet Protocol Version 4 (TCP/IPv4). Click Network and Internet.100. 28 . click Network and Sharing Center.0. Right-click Local Area Connection. Select Use the following IP address. choose Work.168. Join the computer to the domain. Verify Group Policy settings. The following sections describe these steps in detail.0. Select Use the following DNS server addresses.255. Configure authentication methods. In the Local Area Connection Properties dialog box.1. When prompted to set network location.Configure CLIENT1 CLIENT1 is a computer running Windows Vista that is acting as a client and gaining access to intranet resources using port-based authentication on the 802.168. This will reduce the complexity of the lab. type 192. 9. double-click NAP client computers.com domain 1. and then click Active Directory Users and Computers. 7. click OK. To add CLIENT1 to the NAP client computers security group 1. 3. Contacts. type CLIENT1. or Groups dialog box. 5. 5. right-click Computer. 8. When prompted for a user name and password. under Computer name. 2. Under Primary DNS suffix of this computer. In the Select Users. 8. type CLIENT1. 6. and then click Add. CLIENT1 must be added to the NAP client computers security group so that it can receive NAP client settings. choose Domain. 4. and then click OK.com. In the Computer Name/Domain Changes dialog box. When you see a dialog box that welcomes you to the contoso. type User1 and the password for the user1 account that you added to the Domain Admins group.com. under Member of. In the console tree. click Start. click Change. Under Enter the object names to select (examples). In the System Properties dialog box. Add CLIENT1 to the NAP client computers security group After joining the domain. 7. click the Members tab. Click Start. and then click OK twice. 11. click Close. type contoso. click Contoso.com. On DC1.com domain. 6. select the Computers check box. and then click Submit. Verify that CLIENT1 is displayed below Members. and then click OK. Computers. click Object Types. In the details pane. 2. 9. In the Computer Name/Domain Changes dialog box. point to Administrative Tools. click Restart Later. In the NAP client computers Properties dialog box. and then click Properties. On the System Properties dialog box. click OK. Close the Active Directory Users and Computers console. In the dialog box that prompts you to restart the computer. 29 . Click More. you must add it to the NAP client computers security group so that CLIENT1 will receive NAP client settings from Group Policy. Click Change settings. When you see a dialog box that tells you that you must restart the computer to apply changes. Note Before you restart the computer. on the Computer Name tab. 4.To join CLIENT1 to the contoso. 10. and then click OK. 3. and then type contoso. In the command window. In the Customize Start Menu window. click Switch User. click Run. we will enable Run on the Start menu. 4. 5. and then click OK twice. Enable Run on the Start menu The run command is useful for several procedures in the test lab. but this setting requires an Active Directory schema update when using a Windows Server 2003 domain controller. 6. type cmd. 2. authentication methods will be configured using local computer settings. and then press ENTER. CLIENT1 will receive Group Policy settings to enable the NAP Agent service and EAP enforcement client. Close the command window. In the command window. Verify Group Policy settings After it has been restarted. Configure authentication methods Next. In the command output. select the Run command check box. Right-click Start. In the command output.microsoft. and then press ENTER. type netsh nap client show state. 2. under Enforcement client state.com/fwlink/?LinkId=70195). Click Start.3) Policies node in the Group Policy Management Editor window. and then press ENTER. verify that the Initialized status of the EAP Quarantine Enforcement Client is Yes. under Enforcement clients. For more information. and then click Properties. select Start menu. Restart CLIENT1 to apply the new security group membership. 3.9. To verify Group Policy settings on CLIENT1 1. NAP health checks must be enabled in authentication methods of the local area connection. For the test lab. These NAP client settings can also be configured in Group Policy using the Wired Network (IEEE 802. To enable Run on the Start menu 1. After CLIENT1 has been restarted. and then click Customize. see Active Directory Schema Extensions for Windows Vista Wired and Wired Group Policy Enhancements (http://go. 4. type netsh nap client show grouppolicy. 3. 30 . In the Taskbar and Start Menu Properties window. To make it readily available. The command line will be used to verify these settings. verify that the Admin status of the EAP Quarantine Enforcement Client is Enabled. and then click Other User and log on to the CONTOSO domain with the User1 account you created. 1X authentication is selected. Click Settings. Right-click Local Area Connection. as shown in the following example: • • Validate server certificate Enable Quarantine checks 31 . Click Start. 3. and verify that only the following check boxes are selected. 4. 2. Click the Authentication tab. right-click Network. In the Protected EAP Properties dialog box. and verify that Enable IEEE 802. and then click Properties. 5. Click Manage network connections.To configure authentication methods 1. and then click Properties. 6. clear the Enable Fast Reconnect check box. 2. type user1.1. 7. type CLIENT2.0. clear the Internet Protocol Version 6 (TCP/IPv6) check box. To join CLIENT2 to the contoso. and then click Properties. verify that Automatically use my Windows logon name and password (and domain if any) is selected. 9. CLIENT2 will demonstrate the loss of connectivity to CLIENT1 when Windows Firewall is turned off on CLIENT2 and CLIENT2 is moved to the noncompliant VLAN.1X authentication does not block client connection to DC1. Click OK. and then click Control Panel. Install Windows Vista. 32 . 10. Join CLIENT2 to the contoso. and then click OK. In Preferred DNS server. and then click Properties. In IP address. In the Local Area Connection Properties dialog box. Right-click Local Area Connection. With the exception of its IP address and computer name. When prompted to set network location. This will reduce the complexity of the lab. and then click OK again.0. Configure CLIENT2 CLIENT2 is a computer running Windows Vista. choose Work.255. Click Configure. right-click Computer. Click Start. Install Windows Vista and configure TCP/IP on CLIENT2 To install Windows Vista and configure TCP/IP on CLIENT2 1. In Subnet mask. 6.com domain Important For this procedure.101. 5. When prompted for a computer name. and then click Properties.168.com domain 1. CLIENT2 should be connected to an uncontrolled port on the switch so that 802.7. 4. Click OK. and then click Close. type 192. type 192. click Internet Protocol Version 4 (TCP/IPv4). When prompted for a user name.255. Click Start. 3. Select Use the following DNS server addresses. CLIENT2 is configured identically to CLIENT1. and then click Manage network connections. Select Use the following IP address. Click Network and Internet. In the Local Area Connection Properties dialog box.0. 8. type 255. particularly for those who are not familiar with IPv6. click Network and Sharing Center. 8.168. Under Primary DNS suffix of this computer. In the Computer Name/Domain Changes dialog box. Verify Group Policy settings.1X NAP enforcement demonstration Ensure that both CLIENT1 and CLIENT2 are connected to ports on your 802. 802. CLIENT1 will no longer be able to ping CLIENT2. click OK. 6. under Member of. choose Domain. 4.1X switch and viewing the status of port VLAN memberships.2. Click More. click Close. and then type contoso. and then click Submit. Click Change settings. 5. 9. NAP will detect that the computer is not compliant with network health requirements. and will restrict CLIENT2 to the noncompliant VLAN. When you see a dialog box that welcomes you to the contoso. 33 . 8.1X NAP enforcement will be demonstrated with the ping command. authorization.com. on the Computer Name tab.com. click Restart Later. Finally. type contoso. type User1 and the password for the user1 account that you added to the Domain Admins group.com domain. When prompted for a user name and password. Note You can also verify NAP enforcement by logging in to the 802. On the System Properties dialog box. auto-remediation will be demonstrated by setting NAP enforcement in the NoncompliantRestricted network policy to update noncompliant computers automatically. and then click OK twice. When you see a dialog box that prompts you to restart the computer. you must add it to the NAP client computers security group so that CLIENT2 will receive NAP client settings from Group Policy. Enable Run on the Start menu. Complete configuration of CLIENT2 Configure CLIENT2 identically to CLIENT1 by following the same procedures to: • • • • Add CLIENT2 to the NAP client computers security group and restart the computer. Configure authentication methods. click Change. click OK. In the dialog box that prompts you to restart the computer. Note Before you restart the computer. CLIENT1 and CLIENT2 will display TCP/IP connectivity when both are determined to be compliant with network health requirements. 10. when Windows Firewall is turned off on CLIENT2. 11. 7. In the System Properties dialog box.1X-compliant switch that have been configured with active authentication. and accounting settings. 3. However. 802. rightclick Security Center. Next to Protocol type. and then click Customize. select the Echo Request check box. and then click Next. 8. A shortcut to Security Center is created on the desktop. Set up desktop shortcuts Desktop shortcuts are installed on CLIENT1 and CLIENT2 to allow you to change settings quickly and display the results of NAP enforcement and remediation. Click Next to accept the default profile. 7. and then click Next. 9. 34 .Allow ICMP through Windows Firewall Ping will be used to verify network connectivity of CLIENT1 and CLIENT2. and then click Finish. click Security. 6. 5. and then click Next. 12. On CLIENT1 and CLIENT2. click OK. click Control Panel. 3. 11. Click Next to accept the default scope. A shortcut to Command Prompt is created on the desktop. under Name. Choose All programs. Choose Specific ICMP types. select ICMPv4. A shortcut to Windows Firewall is created on the desktop. On the Action page. click Start. 2. click Accessories. an exemption rule for ICMPv4 must be configured in Windows Firewall. click Start. On CLIENT1 and CLIENT2. To set up desktop shortcuts 1. right-click Inbound Rules. and then click Run. Choose Custom. verify that Allow the connection is chosen. rightclick Windows Firewall. To allow ping on CLIENT1 and CLIENT2 1. and then click Create Shortcut. click Start. and then press ENTER. rightclick Command Prompt. On CLIENT1 and CLIENT2. 4. click All Programs. 10. In the Name window. and then click New Rule. 3. To enable CLIENT1 and CLIENT2 to respond to ping. and then click Desktop (create shortcut). click Security. type ICMPv4 echo request. point to Send To. On CLIENT1. Close the Windows Firewall with Advanced Security console. 13. 2. and then click Next. click Start. and then click Create Shortcut. Repeat this procedure on CLIENT2. Type wf. In the console tree. click Control Panel.msc. Click Change settings. When Windows Firewall is not on. you should see a notification that network access is limited. you must first disable the auto-remediation setting in the noncompliant network policy on NPS1. double-click the Command Prompt shortcut.168.101." Demonstrate NAP enforcement When the firewall is turned off on CLIENT2. To demonstrate NAP enforcement. 4. double-click the Security Center shortcut and verify that Windows Firewall is on for both computers. You should also verify VLAN membership through a console connection on your switch. Click the Settings tab. 4. and then click Network Access Protection. To demonstrate CLIENT1 to CLIENT2 connectivity 1. 3. In the Windows Security Center window on CLIENT2. 6. a successful ping confirms that CLIENT1 and CLIENT2 are on the same VLAN. Under Auto remediation.0. CLIENT2 will be moved to the noncompliant VLAN. 5. On CLIENT2.0.Demonstrate CLIENT1 to CLIENT2 connectivity First. To demonstrate NAP enforcement 1. On NPS1. 35 . verify that Windows Firewall is Off. type ping 192. Right-click the NAP icon in the notification area on CLIENT2. and then press ENTER. Verify that the response reads "Request timed out. 8. 10.101. As a result. and then double-click Noncompliant-Restricted. On CLIENT1 and CLIENT2.101.168. Verify that the response reads “Reply from 192. click Start. 7. Under Network Access Protection. 3. Because CLIENT1 and CLIENT2 are no longer on the same VLAN. 9. we will demonstrate TCP/IP connectivity between CLIENT1 and CLIENT2 by using the ping command. Because the switch does not allow ICMP between clients on different VLANs.0. no ping response will be returned from CLIENT2. On CLIENT1. the WSHA will specify a new health state for the computer that matches the noncompliant network policy on NPS1. In the command window on CLIENT1. clear the Enable auto-remediation of client computers check box. click Run.msc in Open. Click Network Policies. 2. 2. click NAP Enforcement. double-click the Windows Firewall shortcut. 11. and then click OK. type ping 192. Select Off (not recommended). type nps. In the command window on CLIENT1. and click OK. See the following example.168." 12. 36 . 16. 14. The Network Access Protection window indicates that your computer is not compliant with requirements of the network. 15.13. Verify that the Network Access Protection window and notification area change to indicate that the computer has been granted full network access. In the Windows Firewall window on CLIENT2. Select On (recommended). click Change settings. and click OK. See the following example. 101. 12." 3. 11. NAP auto-remediation will turn on Windows Firewall without user intervention. click Run.168. Click the Settings tab. However.101. Verify that the response reads "Reply from 192. In the command window on CLIENT1. See the following example. select Enable auto-remediation of client computers. 9. click Change settings. On NPS1. Close the Network Policy Server window. Under Auto remediation. click NAP Enforcement. 4. 2. In the Windows Firewall window on CLIENT2.168.0. 10. To demonstrate auto-remediation 1. A new statement of health (SoH) is then issued to NPS1.168.msc in Open. 5. and then double-click Noncompliant-Restricted. In Security Center on CLIENT2. Under Network Access Protection. which indicates CLIENT2 is now compliant with network health requirements. a configured status of Windows Firewall to "off" on CLIENT2 will cause CLIENT2 to be noncompliant with network health requirements. type nps. type ping -t 192. Auto-remediation must be enabled in the noncompliant network policy on NPS1.0." Next. Click Network Policies.Demonstrate auto-remediation When NPS1 is set to enable auto-remediation of client computers. and click OK. 8. click Start. 7.101" to "Request timed out.0. and then press ENTER." 14. Verify that the command window on CLIENT1 changes from "Request timed out" to "Reply from 192. and then click OK. CLIENT2 will be unable to ping CLIENT1. Check the command window on CLIENT1. The ping will run continuously. In this state. when CLIENT2 undergoes NAP auto-remediation. The response should change from "Reply from 192. 6. Windows Firewall will be turned on. Network policy settings move CLIENT2 to the compliant VLAN. allowing CLIENT1 to successfully ping CLIENT2. The Network Access Protection window and notification area should indicate that the computer is compliant with requirements.101. 37 . 13. Select Off (not recommended).0.168. verify the status of Windows Firewall changes from Off to On. com/fwlink/?LinkId=56443 Appendix This appendix will help you with troubleshooting techniques and the setting of optional features in Windows Server 2008 and Windows Vista. Set UAC behavior of the elevation prompt for administrators By default. This service will prompt for permission to continue during several of the configuration tasks described in this guide. In all cases.See Also http://go. you can click Continue in the UAC dialog box to grant this 38 . User Account Control (UAC) is enabled in Windows Server 2008 and Windows Vista.microsoft. msc. Type eventvwr. 5. and then click OK. In the right pane. and then click Run. click Accessories. or you can use the following procedure to change the UAC behavior of the elevation prompt for administrators. To review NAP server events in Event Viewer 1. Review NAP server events Reviewing information contained in Windows System events on your NAP servers can assist you with troubleshooting. Click Start and then click Run. In the left tree. 4. 3. 4. 3. double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. and press ENTER.msc. To set UAC behavior of the elevation prompt for administrators 1. 2. 2. Click an event in the middle pane. It can also help you to understand NAP client functionality. It can also help you to understand NAP server functionality. 7. From the drop-down list box. 39 . 3. and then click Security Options. 5. You can also right-click an event and then click Event Properties to open a new window for reviewing events. Type eventvwr. the General tab is displayed. By default. Review NAP client events Reviewing information contained in NAP client events can assist you with troubleshooting. 4. 6. and press ENTER. Click an event in the middle pane. click Continue. click Accessories. Click Start. double-click Local Policies. point to All Programs. In the left tree. 2. 6. Click the Details tab to view additional information. and then click Run. navigate to Event Viewer(Local)\Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational. and press ENTER. In the left pane.permission. Type secpol. choose Elevate without prompting. In the User Account Control dialog box. To review NAP client events in Event Viewer 1. Click Start. point to All Programs. Close the Local Security Policy window. navigate to Event Viewer(Local)\Custom Views\Server Roles\Network Policy and Access Services.msc. 5. By default. Click the Details tab to view additional information. You can also right-click an event and then click Event Properties to open a new window for reviewing events. the General tab is displayed. 40 . 6.
Copyright © 2024 DOKUMEN.SITE Inc.